1. Field of the Invention
This invention relates generally to the fields of network switch policy management, network security, and network anomaly detection and mitigation, and, more specifically, to distributed, on-switch methods of enforcing network switch policies, promoting network security, or detecting and mitigating network anomalies, which methods may be embodied as one or more rules stored locally at the network switches.
2. Related Art
To handle network attacks, viruses or other network anomalies, current networks typically perform a filtering function, centralized at one or more gateway switches that function as gateways between various subnets of the network, whereby potentially problematic packets are identified and sent to a port accessible by a network administrator and/or external appliance. The network administrator/external appliance manually examines the packets, and then takes appropriate action. If the packets in fact represent a network attack, virus or other anomaly, the network administrator may respond by downloading suitable rules known as Access Control Lists (ACLs) to the gateway switches within the network, instructing them to ignore the potentially problematic packets on an ongoing basis.
As this approach is highly fragmented, involving as it does detection of a potentially problematic packet at the gateway switch, followed by inspection of the packet by a network administrator/external appliance, followed by downloading of suitable ACLs at these gateway switches denying access to these packets, there is often a long latency between the time the potentially problematic packets are identified at the gateway switches and the time an appropriate response is implemented. Because of this latency, even after being detected, a network attack may propagate itself throughout the entire network, disrupting or disabling significant portions, before a response can be implemented.
Moreover, as this approach is often centralized at one or more gateway switches, it is incapable of detecting or responding to internal attacks that originate within a particular subnet. And it cannot exploit useful information maintained at the edge, non-gateway switches of a subnet that could assist in detecting and responding to many forms of network attacks.
Nor is this approach easily scaleable with the number of network switches in the network or the amount of traffic handled. In fact, as this approach involves filtering all packets of a particular type or from a particular user to the network administrator or external appliance, even if the packets are valid and unassociated with a network anomaly, it frequently overloads the network administrator as the number of switches, nodes or traffic within a network increases.
Nor can current ACLs solve the problem as current ACLs are incapable of detecting and responding to network attacks with the necessary level of precision and dynamism. Consider, for example, the following ACL (named icmp) configured for the purpose of addressing the problem of network flooding of a certain type of packet (ICMP echo requests) originating from a particular subnet (10.203.134.0/24):
entry icmp {                IF {                    source-address 10.203.134.0/24;            protocol icmp;            icmp-type echo-request;                        } THEN {                    mirror enable icmp;                        }        
}
As this ACL always mirrors ICMP echo requests from the particular subnet, it is triggered even when an ICMP echo flooding condition is not present, resulting in many valid ICMP requests being mirrored. Also, because it requires the network administrator or network appliances to sort through many valid ICMP echo requests, it has the potential of overloading the network administrator or external appliance. Further, because it always mirrors the ICMP requests, it is incapable of dynamically responding, such as permitting access to ICMP echo requests when a once-present flooding condition has abated.
Therefore, there is a need for a more integrated, rapid, dynamic, scaleable and integrated approach for enforcing a policy relating to one or more network switch resources and/or detecting and responding to one or more network attacks, viruses and other anomalies, and/or selectively filtering packets to an externally-accessible port.